That’s 5 grams per page, or 13 tonnes for the paper version of the Panama Papers.

Lots of the media coverage you’ll have seen so far deals with the question, “Who’s been named in the Papers?”

You’d think that publishing those details would be off limits, given that the 13 tonnes of information about Mossack Fonseca’s customers was stolen, and everyone knows it was stolen…

…but the justification for writing about it seems to be that if you’ve ever made use of confidential (OK, secret) offshore banking, legal and taxation services, then you are, by implication, up to no good and therefore no longer deserve to have your privacy respected.

As a result, the stolen data is now as good as in the public domain.

What happened?

Here at Naked Security, we’re more interested in how the breach happened, and what we can learn from that part of the story, than in what we can conclude from information that was illegally acquired in the first place.

The problem is that, so far, we just don’t know how the hackers did it.

Given the scale of the breach, it certainly sounds as though there was more involved than just finding a password or tricking a user into opening a booby-trapped attachment.

Presumably, the hackers needed to get in, find their way around, figure out what data was stored where, work out how to access it, and then find a way to collect and exfiltrate it.

Mossack Fonseca has trotted out the truisms we often hear after a breach of this sort.

According to what looks like a screenshot posted on Twitter, Mossack Fonseca said, “Unfortunately, we have been subject to an unauthorized attack of our email server.”

The company also: promised it has taken “all necessary measures to prevent this from happening again,” stated that it is taking “additional measures to further strengthen [its] systems,” and claimed to be “in the process of an in-depth invesigation with experts.”

What to do?

An email breach may not sound like much on its own, but even if a crook manages to get hold of just one user’s password, that can be enough to get started.

After all, emails sent from an internal account have the apparent legitimacy of coming from inside, so the crook can make believable-sounding IT requests, such as asking for a password reset, and then intercept any helpful replies that come back.

Worse still, if a crook manages to breach the email server itself, he could end up harvesting all incoming and outgoing attachments, at least some of which will give away secrets that help him get further and further into the network.

If a crook has already breached your outermost defences and is poking around inside, he’s more likely to be noticed, and stopped, if you create a culture of security at work.

That means being honest and up front about cybersecurity with colleagues and customers alike, no matter what.

Sophos’s own IT Security Manager Ross McKerchar, has 6 tips on how to create that sort of culture.

I was also under the impression from multiple sources that it was an inside leak. I did see that they published it was a hack in their news release which caused me to wonder who was correct. Is the source for this in your article only the Fonseca press release or have other outlets confirmed it was an actual hack as opposed to a whistle blower?

Wired has published a lengthy story that implies that the leak happened piecemeal over a long period of time, but it’s still as clear as mud how many people were involved; how they got at the data; how they got it out; how long the actual breach took to achieve; how many databases, servers, accounts, baxckup devices and whatnot were drained of data…

A cursory reading of the Wired article does, indeed, seem to imply that it was an inside job. Yet Wired explicitly uses the words “unknown source,” which means Wired *can’t* tell you (rather than merely that it won’t) whether it was an inside job or an outside one.

And, to be precise, Mossack Fonseca has said nothing more than that it was “subject to an unauthorized breach of [its] mail server,” without saying what else was or wasn’t involved in 2.6TB flowing outwards.

For example, it could be insiders, outsiders or both; it could be a whistleblower who aimed to leak the data from inside; it could be activists who went after it systematically and hit the jackpot; it could be crooks who had a dig around and then decided their spoils were too hot to handle for financial reward and so leaked them; it could be all of those.

From what I gather this is more of a dump from the document management system. There are documents going back to 1977, long before email was around, and there is a database being used to search through the papers. Being an email administrator and the amount of crap that gets collected in email and how scattered it is I can’t see this being email.

The date of 1977 is when the company started, so if a document database was breached, it’s not surprising that the documents go back that far, assuming historical stuff had been scanned in for the record. So I agree that “our email server suffered unauthorised access” is unlikely, if not actually impossible, as a complete explanation.

Nevertheless (and this is the point I was trying to make), an email server breach that you don’t notice promptly is about much more than that. Email isn’t the castle but it’s likely to contain the keys to the castle…and, indeed, the keys to other people’s castles, too.

I’d like to add that as JD mentioned, this points out the true seriousness of lax IT security practices. You don’t just have to protect against current documents regarding future projects being stolen/compromised, getting access to the right internal credentials provides access to all corporate data that exists.

“The company also: promised it has taken “all necessary measures to prevent this from happening again,” stated that it is taking “additional measures to further strengthen [its] systems,” and claimed to be “in the process of an in-depth invesigation with experts.”

This quote shows a significant shortsightedness: when a law firm has just been breached for 39 years’ worth of client data, taking measures to prevent it from happening again isn’t all that useful. It won’t save the firm, nor protect their clients.

Speculating, it’s possible that the attack on their email server had nothing to do with the attacker getting in, but was the method the insider used to get all the data out — and because of how the server was set up, nobody noticed that over a 1 year period, 2.6TB of data was sent from there to points unknown. If this is the case,it shows the importance of flagging and investigating network and system anomalies and getting to the root cause.